Re: [PATCH] locking/refcount: add sparse annotations to dec-and-lock functions

[Kees Cook <keescook@chromium.org>]

On Mon, Dec 30, 2019 at 01:15:47PM -0600, Eric Biggers wrote:
> On Mon, Dec 30, 2019 at 10:43:20AM -0800, Kees Cook wrote:
> > On Sat, Dec 28, 2019 at 12:49:18PM +0100, Peter Zijlstra wrote:
> > > On Thu, Dec 26, 2019 at 09:29:22AM -0600, Eric Biggers wrote:
> > > > From: Eric Biggers <ebiggers@google.com>
> > > > 
> > > > Wrap refcount_dec_and_lock() and refcount_dec_and_lock_irqsave() with
> > > > macros using __cond_lock() so that 'sparse' doesn't report warnings
> > > > about unbalanced locking when using them.
> > > > 
> > > > This is the same thing that's done for their atomic_t equivalents.
> > > > 
> > > > Don't annotate refcount_dec_and_mutex_lock(), because mutexes don't
> > > > currently have sparse annotations.
> > > 
> > > I so f'ing hate that __cond_lock() crap. Previously I've suggested
> > > fixing sparse instead of making such an atrocious trainwreck of the
> > > code.
> > 
> > Ew, I never noticed these before. That is pretty ugly. Can't __acquire()
> > be used directly in the functions instead of building the nasty
> > wrappers?
> 
> The annotation needs to go in the .h file, not the .c file, because sparse only
> analyzes individual translation units.
> 
> It needs to be a wrapper macro because it needs to tie the acquisition of the
> lock to the return value being true.  I.e. there's no annotation you can apply
> directly to the function prototype that means "if this function returns true, it
> acquires the lock that was passed in parameter N".

Gotcha. Well, I guess I leave it to Will and Peter to hash out...

Is there a meaningful proposal anywhere for sparse to DTRT here? If
not, it seems best to use what you've proposed until sparse reaches the
point of being able to do this on its own.

-- 
Kees Cook